Total
4252 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1391 | 1 Redhat | 1 Build Keycloak | 2025-11-20 | 5.4 Medium |
| A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. | ||||
| CVE-2025-55244 | 1 Microsoft | 3 Azure, Azure Ai Bot Service, Azure Bot Service | 2025-11-20 | 9 Critical |
| Azure Bot Service Elevation of Privilege Vulnerability | ||||
| CVE-2025-55238 | 1 Microsoft | 3 365, Dynamics 365, Dynamics 365 Fasttrack Implementation | 2025-11-20 | 7.5 High |
| Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability | ||||
| CVE-2025-54914 | 1 Microsoft | 2 Azure, Azure Networking | 2025-11-20 | 10 Critical |
| Azure Networking Elevation of Privilege Vulnerability | ||||
| CVE-2025-53791 | 1 Microsoft | 1 Edge Chromium | 2025-11-20 | 4.7 Medium |
| Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2025-54116 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2025-11-20 | 7.3 High |
| Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-54098 | 1 Microsoft | 27 Windows, Windows 10, Windows 10 1507 and 24 more | 2025-11-20 | 7.8 High |
| Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-49692 | 1 Microsoft | 2 Azure, Azure Connected Machine Agent | 2025-11-20 | 7.8 High |
| Improper access control in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2024-11483 | 1 Redhat | 3 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside | 2025-11-20 | 5 Medium |
| A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the user’s assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services. | ||||
| CVE-2025-54561 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-11-20 | 4.3 Medium |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | ||||
| CVE-2025-63225 | 1 Eurolab | 1 Elts100 Ubx | 2025-11-20 | 9.8 Critical |
| The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation. | ||||
| CVE-2025-56499 | 1 Metacubex | 1 Mihomo | 2025-11-20 | 6.5 Medium |
| Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file. | ||||
| CVE-2024-7557 | 1 Redhat | 2 Openshift Ai, Openshift Data Science | 2025-11-20 | 8.8 High |
| A vulnerability was found in OpenShift AI that allows for authentication bypass and privilege escalation across models within the same namespace. When deploying AI models, the UI provides the option to protect models with authentication. However, credentials from one model can be used to access other models and APIs within the same namespace. The exposed ServiceAccount tokens, visible in the UI, can be utilized with oc --token={token} to exploit the elevated view privileges associated with the ServiceAccount, leading to unauthorized access to additional resources. | ||||
| CVE-2025-0650 | 1 Redhat | 2 Enterprise Linux, Openshift | 2025-11-20 | 8.1 High |
| A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network. | ||||
| CVE-2023-5207 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 8.2 High |
| A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user. | ||||
| CVE-2025-54339 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-11-19 | 10 Critical |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | ||||
| CVE-2025-54343 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-11-19 | 9.6 Critical |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | ||||
| CVE-2025-53360 | 1 Glpi-project | 1 Database Inventory | 2025-11-19 | 4.3 Medium |
| pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. In versions prior to 1.0.3, any authenticated user could send requests to agents. This issue has been patched in version 1.0.3. | ||||
| CVE-2024-28390 | 1 Advancedplugins | 1 Ultimateimagetool | 2025-11-19 | 9.8 Critical |
| An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control. | ||||
| CVE-2024-6364 | 1 Absolute | 1 Persistence | 2025-11-19 | 6.4 Medium |
| A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below. | ||||